Cybersecurity vendor CrowdStrike has added new AI-powered indicators of attack (IoA) functionality to its Falcon platform. Announced at the Black Hat USA 2022 Conference, the enhancement leverages AI techniques to create new IoAs at machine speed and scale to help organizations stop emerging attack techniques and enable them to optimize detection and response, the firm said.
AI IoAs trained on real-world adversary behavior, rich threat intelligence
In a press release, CrowdStrike stated that Falcon now allows organizations to find emerging attack techniques with IoAs created by AI models trained on real-world adversary behavior and rich threat intelligence. Brian Trombley vice president product management, endpoint security at CrowdStrike, tells CSO that the AI-powered IoAs leverage intelligence from the CrowdStrike Security Cloud, where the firm collects over one trillion security events per day from its customer base.
“We correlate this telemetry using machine learning to create new IoAs,” Trombley adds. “Human threat experts then create a corpus of behaviors ranging from hundreds of thousands to millions of examples of clean and malicious activity, before data scientists begin the process of turning telemetry into an AI or ML model that powers the creation of new IoAs. All IoAs, including AI-powered IoAs, are delivered to the Falcon agent in the same fashion working alongside our sensor ML models. The AI-powered IoA technology is highly flexible and can be used to model on any event data captured by the CrowdStrike Falcon platform.”
AI-powered IoAs tested against rich field telemetry, crafted kill chains
CrowdStrike’s models are calibrated against an ever-expanding body of expert-generated ground truth that is aggregated across the Falcon platform – spanning intelligence from CrowdStrike’s Managed Threat Hunting (Falcon OverWatch), Malware Research Center (MRC), and Managed Detection and Response (Falcon Complete), Trombley tells CSO. “To test the accuracy of the AI-powered IoAs, CrowdStrike’s threat hunters and researchers evaluate the models against this rich field telemetry and specifically crafted kill chains.”
This ensures that the models are resistant to adversarial ML attacks, can detect malicious tactics, techniques and procedures (TTPs), and generate low false positive detections against real world customer data, Trombley says. “Additionally, prior to enabling live detections, in order to minimize customer exposure to false positives, the models are run silently to allow subject matter experts to meticulously evaluate detections and tune for best performance in-field.”
CrowdStrike strives to minimize false positives and false negatives as they leave security teams struggling to sift through yet more noise instead of stopping breaches, Trombley says. “We used this same testing capability to test and tune our AI-powered IoAs as well. During our testing, we identified over 20 new adversary patterns, which were confirmed by Falcon OverWatch’s elite threat hunters. Over the same period, our new models collectively identified less than ten false positives and have continued to perform at this level of fidelity since moving into general availability.”